What is the CVSS score of CVE-2026-27572?

CVE-2026-27572 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Industrial are affected by CVE-2026-27572?

Wasmtime, a WebAssembly runtime used in production environments, contains a denial-of-service vulnerability that allows attackers to crash services by sending excessive HTTP headers.. A patch is available.

Industrial CVE-2026-27572

HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-02-24 security-advisories@github.com

GHSA-243v-98vx-264h

Denial Of Service Industrial Red Hat Wasmtime

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

Patch released

Feb 25, 2026 - 15:36 nvd

Patch available

CVE Published

Feb 24, 2026 - 22:16 nvd

HIGH 7.5

DescriptionNVD

Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.6, 36.0.6, 4.0.04, 41.0.4, and 42.0.0, Wasmtime's implementation of the wasi:http/types.fields resource is susceptible to panics when too many fields are added to the set of headers. Wasmtime's implementation in the wasmtime-wasi-http crate is backed by a data structure which panics when it reaches excessive capacity and this condition was not handled gracefully in Wasmtime. Panicking in a WASI implementation is a Denial of Service vector for embedders and is treated as a security vulnerability in Wasmtime. Wasmtime 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 patch this vulnerability and return a trap to the guest instead of panicking. There are no known workarounds at this time. Embedders are encouraged to update to a patched version of Wasmtime.

AnalysisAI

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowing remote attackers to trigger denial of service against applications embedding Wasmtime. The vulnerability affects versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0, and has been patched to return a controlled trap instead of panicking. …

RemediationAI

Within 24 hours: inventory all systems running affected Wasmtime versions (24.0.5 and earlier, 36.0.5 and earlier, 4.0.03 and earlier, 41.0.3 and earlier). Within 7 days: apply available patches to all identified systems, prioritizing production environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory